Device and method for checking railway logical software engines for commanding plants, particularyl station plants

ABSTRACT

Method and device for checking logical software engines for commanding railway plants, particularly station plants, comprising at least a computer with at least a central processing unit and at least a memory for loading and executing programs: a logical engine for commanding a plant, particularly a station plant, being loaded or loadable in said memory for its execution, which plant comprises a plurality of operating units for actuating and/or detection and/or measurement and/or signalling, so-called wayside equipments, which units are provided for receiving command signals and for transmitting control signals about the operating condition, and which logical software engine reads control signals given by the operating units for actuating and/or detection and/or measurement and/or signalling and its processes command signals of said operating units basing on an operation protocol of the plant itself. According to the invention, in the computer memory is loaded or loadable and is executable by the computer itself a software simulation program of the plant that must be controlled and commanded by the control and command logical program and which simultation program reproduces faithfully the plant structure and the operating modes of the operating units provided in said plant.

The invention relates to a device for checking logical software enginesfor commanding railway plants, particularly station plants, comprisingat least a computer with at least a central processing unit and at leasta memory for loading and executing programs:

a logical engine for commanding a plant, particularly a station plant,being loaded or loadable in said memory for its execution, which plantcomprises a plurality of operating units for actuating and/or detectionand/or measurement and/or signalling, so-called wayside equipments,which units are provided for receiving command signals and fortransmitting control signals about the operating condition, and whichlogical software engine reads control signals given by the operatingunits for actuating and/or detection and/or measurement and/orsignalling and it processes command signals of said operating unitsbasing on an operation protocol of the plant itself.

In railway field, the command of station plants occurs by means ofcommand logical engines which are based on Boolean algorithms. Controland command signals are univocally associated to state variables whichare processed by Boolean logic that provides output command signals asmodifications of said Boolean variables. Depending on the features ofprovided operating units, each of the said variables may have variousstate conditions and the associated variables representing the statecontrols and the state commutation commands of operating units may varywithin predetermined values, each of the said values represents anoperating condition of the operating unit as far as variablesrepresenting control signals are concerned, while the said valuesrepresent a commutation command from a predetermined operating conditionto a different predetermined operating condition or a command formaintaining the operating condition as far as command signals areconcerned.

Starting from a traditional realization of command and control logics,particularly of railway plants, in the shape of relay networks, atpresent the greater reliability and stability, as well as the greatercomfort and flexibility in using computers, have caused the transfer ofcommand functions from the relay hardware structure to a softwarecommand system emulating the behaviour of the traditional relay networkby means of a command and control logical program composed of Booleanalgorithms.

Because of the complexity of railway plants, even the logic forcontrolling and commanding the plant is relatively complex speciallyconsidering that in railway field the security operation standards arevery high.

In order to transform the control and command hardware logic formed byrelay networks into a program in the form of a control and commandBoolean engine, hardware/software smart systems have been developed toprocess automatically the control and command Boolean program bystarting from a traditional relay hardware network layout or from atable wherein the operation conditions of the plant are encoded in theshape of lists of state variables and state commutation variables, theso-called condition table.

At present the validation, i.e. tests, are directly made on the plant.However, this is a serious drawback firstly because an operating plantis actually required to which the control and command logic has to beapplied. This causes great problems due to great prolongation of timefor definitive installing a railway plant, since in addition to time foractual structural installation, such as line laying, and the hardwareinstallation of operating units, it is necessary to make long validationphases of the command logic thereof.

To solve this problem, at least partially, software programs forvalidating command software logics have been provided, i.e. Booleanengines for controlling and commanding the station plants, that processindividually and in parallel the same command and control logical engineby means of at least two generation programs of the control and commandlogical engine, starting from the same basic information about thesystem structure and the operation modes thereof. Two command andcontrol logical engines are therefore generated and are thereforecompared, whereas the validation is based on diversity criterions of theprograms generating the two logical engines which are considered correctin case of functional identity basing on said diversity of the twogenerating programs.

Such validation or certification mode does not meet fully considerationsthat are made from the security perspective of the plant operation andso the control and command logical program that has been obtained isalways subjected to a deep validation directly on the plant. Thecertification or validation mode by means of the diversity criterion ofthe software generating the command and control logical program lacks aninterface with the plant.

Therefore, even in this case of software certification and validation,such defect influences again the time for fabricating the plant inoperation condition and the time for developing and setting up both thecontrol and command logic and the plant itself. The situation becomesmore serious considering not only the installation of a new plant, butalso the modification of an existing plant. In such case certificationsand validations made on field influence railway traffic that pass anywayand must continue to pass on railway lines already existing. Thereforetimes are smaller and working conditions are more critical both for thedifficulty in working on a plant in use and for the considerations abouttraffic security that cannot be interrupted except for short periods.

Therefore, the purpose of the invention is to provide a device asdescribed hereinbefore that allows to overcome the drawbacks existing atpresent and described above.

The invention attains the above purposes by means of a device asdescribed hereinbefore, wherein a software simulation program of theplant is loaded or loadable in the computer memory and is executable bythe computer itself, which simulation program must be controlled andcommanded by the control and command logical program and whichsimulation program faithfully reproduces the plant structure and theoperating modes of operating units provided into said plant.

The simulation of the plant structure and of the operating unitsassociated thereto, such as track circuits to detect the presence of thetrain, switch points actuators, signalling actuators and other differentunits is represented in the simulation program by Boolean algorithms,variables associated to said algorithms being univocally defined torepresent control signals of the several state or operation conditionsof various operating units and the command signals for commutating ormaintaining state or operating conditions of said various operatingunits.

In a first embodiment the image of the plant behaviour under examinationof the control and command logical program is displayed in the shape ofvariable lists univocally associated to the several operating units. Insuch case, the program displays or allows to display report fileswherein the several operating units and the associated state or commandvariables are listed.

Advantageously, the simulation program allows the user to set startingoperating conditions of the plant and/or setting situations evenanomalous of the plant operating units to verify the plant reaction tothese conditions.

According to a preferred embodiment, to each plant operating unit and/orto each relevant structural element can be associated univocally avirtual image of the operating unit and/or of plant structural element,which image is generated by means of a graphic program loaded, loadableand/or executable by the computer of the device according to theinvention. The virtual image is univocally correlated to the logicalprogram for generating the operating unit or the plant structuralelement, the graphic program for generating the virtual image of eachoperating unit being such to generate various graphic aspect conditionsof the operating unit, each of them is univocally correlated to apredetermined value of variables relevant to the operating condition ofthe operating unit itself and/or of command variables for commuting ormaintaining the operating state of the operating unit.

According to a further aspect of the invention, the operation of thecontrol and command logical program is additionally in parallel oralternatively represented in the shape of behaviour of the equivalentcommand hardware logic composed of a relay network, an operationsimulation program of relays and an operation simulation program of therelay network being provided, as well as graphic programs representingrelays univocally associated to each program for simulating relays andto program for graphically displaying the relay network.

Also in this case, as in the case of operating units, each relay issimulated by means of a logical program of the Boolean type, singlestate conditions of the relay and/or the commutation commands beingrepresented by state or command variables and graphic programs beingsuch to associate various relay graphic aspects univocally correlated tovalues taken by said state or command variables.

By means of what said before, the device according to the inventionallows to execute the validation or the certification of the control andcommand logical program of the system on the base of a true and reliablesoftware model of the real plant with evident advantages in relation tocertification and validation systems used at present.

The two levels for displaying the functional behaviour of the plant, inthe shape of report file displaying values of state variables generatedby programs processed by simulation logical programs of operating unitsand in the shape of graphic representation of the operating condition ofoperating units allow to check in details the operating units of theplant and therefore the operation modes thereof both in an analytic wayand in a direct visual way of the physical operation condition.

A further alternative allowing the display of the command and controllogical engine in the shape of traditional relay network allows to checkthe engine operation according to the traditional hardware logicproviding an additional visual check means. However, also in this caseit is possible to display physically the aspect modifications of relaysrelevant to the operating condition, as well as to display analyticallythe state and command variables analogously to what said for theoperating units. It will be noted that the graphic representation of theBoolean command and control logic, in the shape of traditional relaynetwork, allows to check visually the internal operation of said logic,therefore making simpler the identification of errors inside the logicitself and not only on the base of wrong commands sent to operatingunits. Therefore it is displayed not only the situation of outputvariables and input variables to the control and command logic engine,but also the situation of modifications to which said variables aresubjected during the processing from input to output.

Additionally, the provision of an interface for setting particularoperating conditions of the plant or anomalous conditions allows tocheck the plant reactions with reference to different operatingenvironment. Such settings can be executed by the personnel by imposingspecific state conditions to various operating units at the beginning ofthe execution cycle of the control and command logical engine, beingpossible, by means of a suitable scheduling, to provide also conditionswherein one or more operating units are non-operating or operating in aanomalous way.

It is easy to notice that in the case of the present invention it ispossible to program or configure images and/or state and commandvariable lists of virtual operating units corresponding to the desiredor proper operation or state condition of the plant in conjunction witha predetermined operation situation. In such case, by providing suchnominal graphic images and such nominal values of state and commandvariables of virtual operating units it is possible to make not only thedirect and visual verification of a proper operation but also anautomatic verification based on the comparison between the nominal imageand the table or the nominal list of state and command variables desiredand previously scheduled and the image and the state and commandvariables effectively processed in the moment of operation of thecontrol and command logic with the virtual model of railway plant, anerror message being sent in case of non-identity. During this automaticverification can be displayed graphically and analytically the operatingunit that assumed a wrong condition and the relative state or commandvariable/variables.

Such mode can be extended also to the simulating representation of relaynetwork, indicating the relay or relays that have not been commutated inthe right condition and the relative state or commutation commandvariables.

As a further development it is also possible to provide automatic meansthat correct the control and command logical program on the base ofpossible corrections made by the user to the state or command variablesmodified manually in the presence of a state or command error of avirtual operating unit or of a relay in the corresponding commandlogical circuit constituted of the virtual model of relay network.

In this case, modification interventions both of alphanumeric type madeon report files of state or command variables, or interventions formodifying graphically the aspect of the operating unit or relaycorresponding to the state of said operating unit or said relay areinterpreted by a correction program that analyse the values of state orcommand variables set manually to correct wrong values, analyse thecontrol and command logical program and modify the code to commute theoperating unit or the relay in the correct state condition when occursthe operation condition with which the control and command logicalprogram had previously generated the error.

It is also possible to memorize areas of the virtual station plant andthe relative parts of the control and command logical program havingtypical plant structures that are recurrent in various station plants,to load and reuse both programs of Boolean simulation, and graphicdisplay programs as well as parts of control and command logicalprograms in new station plants having identical station areas.

The hardware/software structure of the device according to the inventionallows to extend the validation and the certification even to avalidation and certification system based on the diversity of theprogram for generating the control and command logical program, forexample a so-called Boolean algorithm checker.

It is possible to provide several possibilities. A first of thesepossibilities is to provide an additional program for generating thecontrol and command logical program object of validation by the devicethat works according to a code different than that used for generatingthe control and command logical program during the validation. Thecontrol and command logical program generated by the checker may becompared with the control and command logical program during thevalidation to notice the identity between the two control and commandlogical programs. In addition or alternatively the control and commandlogical program generated by the checker may be subjected to thecertification or validation by means of the device described above andthe results may be compared to those obtained during the validation orcertification of the first control and command logical program. In thiscase the comparison verification is made on state and command variablesof operating units and relays of the relay virtual network both from anumeric perspective and from a graphic perspective. For example aoverlapping of graphic images of the plant state conditions may besupposed which are obtained with the two control and command logicalprograms. With this overlapping of the image of plant state conditionthe possible differences are graphically highlighted or catch directlythe user eye.

The two modes described above may be made alternatively or successivelyone with respect to the other, the modification of the successionsequence of the two different comparison modes being also possible.

By making first the comparison relevant to the plant conditions obtainedby the two control and command logical programs it is possible forexample to identify better the parts of the program wherein thecomparison operations and so the possible correction operations thereofor the debugging enquires (error detection) may be limited.

It is possible to make the certification based on diversity in additionto the control logical program even to the logical programs forsimulating the single operating units and the plant structure as well asto logical programs for simulating relays or the relay network and incase this certification action based on the diversity of the generatingprogram may be extended also to programs for graphically representingoperating units or relays.

In a further embodiment, the Boolean checker is composed of a paralleldevice for verifying the control and command logical program of therailway plant by simulating the plant itself, which checker comprises acheck or test program and the simulation programs of the railway plantdeveloped according to diversity criterions, i.e. by other generating orwriting programs and such checker makes the same certification of thedevice according to the invention, that is the first checker device, onthe same control and command logical program, the results of the twoparallel tests being compared and from this comparison information orerror messages are generated depending on the result of the test if itis equal or if it has diversities.

In the field of the device according to the invention a design programis included, i.e. for generating the Boolean code and the program forgraphically representing the wayside equipments.

While the device of the present invention is based on traditional orsubstantially traditional processing systems, it should be noticed thatactually it is a technical device constituting substantially a virtualsimulator of the real plant structure and so it has advantages andtechnical effects.

The choice of software means is based on the fact that the command logicis a software too, whereby the implementation by means of a softwaremeans is the best solution.

It should be noticed also that the device according to the presentinvention may be provided with a suitable network interface and it maybecome a non-vital node of the railway plant by means of which it ispossible to modify easily the command and control logical program and toovercome virtually the same, for example in the case of a structuralmodification of the station railway plant, such as the removal of a lineor the addition of a line with the corresponding operating units.

Moreover the device according to the invention as a node networkconnected and interfaced with the railway plant may have supervisory ordiagnostic functions of the correct operation of the real railway plant,because it is easy to make a comparison between the state condition thathas been assumed by the real plant and the one assumed by the simulatedplant by providing the device with the same input variables of the realplant for the control and command logic. Such comparison may be madeanalogously to the comparison of the plant conditions obtained with thetwo control and command programs as described before for the additionalvalidation or certification based on diversity criterions.

By means of the device according to the invention, since it is a nodethat is part of a control and command system of a station plant, it ispossible for example, in emergency event, to simulate variouspossibilities for intervening and commanding the plant to realize, onthe plant itself, the choice that offers the best solution among thepossible choices.

Advantageously the device according to the invention comprise a programfor executing the simulating functions with a user interface of the typeused by Windows® program of Microsoft Inc. and that therefore comprisesoperating windows with function buttons, quick choice menus and otherfunctionalities typical of said interface, in addition obviously to theuse of mouse or of other pointing means, to selection and input ofcommands and the keyboard to input numerical, alphanumerical data and/ornumerical or alphanumerical commands, such as to create and modify thegraphic images of operating units and/or of relays or of other parts ofthe plant structure. This makes the actions very simple and easy for theemployed personnel by creating an interface between the computer and theprogram and the user that is very known and of large employment.

Further features and improvements of the device according to theinvention are subject matter of the dependent claims.

The features of the invention and the advantages derived therefrom willappear more clearly from the following detailed description of someembodiments by way of a non-limiting example illustrated in the annexeddrawings, in which:

FIG. 1 schematically shows a device according to the invention in theshape of a computer or a personal computer and the possible remoteconnections.

FIG. 2 shows a flux diagram of the functional test made by the deviceaccording to the invention.

FIG. 3 shows a schematic diagram of the internal functions of the deviceaccording to the invention.

FIG. 4 shows an example of a display window of the system graphiclayout, particularly of the station or the station region simulated bythe device during test function of a command and control logical programof a railway system.

FIG. 5 shows two details of toolbars and instruments of starting windowsfor carrying out the verification by means of the device according tothe invention.

FIG. 6 shows an example of windows that are displayed when the completesimulating and test program is loaded and wherein a control window isopened for the dev_pl equipment.

FIG. 7 shows an example of a window for the add and modify selection ofsimulating programs of system operating units, particularly waysideequipment.

FIG. 8 shows an example of a window for the interface specification ofeach operating unit or equipment simulator defined by FIG. 7 window.

FIG. 9 shows an example of a window for executing the specificationfunction of the behaviour of the operating unit or of the equipment inrelation with the virtual model composed of the Boolean simulator thatdescribes it.

FIG. 10 shows a table for describing values that can be assumed byvariables in truth table and the above table.

FIG. 11 and FIG. 12 show drop down menus that can be activated by thespecification window of the behaviour of the operating unit or ofwayside equipment according to FIG. 10 to execute particularspecification functions of said behaviour.

FIG. 13 shows an example of a window for selecting graphic aggregates.

FIG. 14 and 15 show additional windows to execute functions formodifying or adding graphic aggregates accessible by buttons of thewindow for selecting graphic aggregates according to FIG. 13.

FIG. 16 shows an example of a window to execute the state and coloursspecification of graphic objects.

FIG. 17 shows a window for selecting and loading a “Condition Table”.

FIG. 18 shows a structure table of a “Condition Table” file.

FIG. 19 shows an example of “Condition table” file.

FIG. 20 shows an example of “Simulation Commands” window.

FIG. 21 shows an example of a window for managing simulation commandsaccessible by quick button or menu command in the window according toFIG. 20.

FIG. 22 shows an example of a window for selecting the variable valueaccessible in the window according to FIG. 20 by quick button or menucommand.

FIG. 23 shows a window for displaying Boolean equations of the controland command program.

FIG. 24 shows a window for displaying the equivalent circuit of aBoolean equation of the Boolean equation system composing the controland command program during the test step.

FIG. 25 shows an example of a window for displaying the circuit of asimulated equipment.

The annexed pages A1, A2, A3, A4 show an example of a test according tothe tool for executing automatic test and include the report file ofsaid test.

Referring to FIG. 1, the device according to the invention consists of afunction simulator of one or more systems that are composed of a stationapparatus with a vital computer with regard to test of the command andcontrol application logical program which is implemented as a group ofBoolean equations. The device is formed as to simulate a stationapparatus with a vital computer in all its operating conditions.

In traditional systems for commanding and controlling railway plants,the application logic for operating the system is in the shape of arelay network. Lately, with introduction of computers more and morereliable and steady, application logic of the plant has been replaced bya command and control logical program which is executed by a computer.The program is comprised of a group of Boolean equations that cyclicallyread the state conditions of a plurality of operating units, theso-called wayside equipments, such as track circuits for detecting thepresence of trains at predetermined line lockings, signalling devices,switch points, etc., and basing on said conditions, coded in the shapeof state variables, the Boolean equations compute or define new outputstate variables that constitute commands for commuting the state or formaintaining the operating state of operating units for the adjustment toconditions represented by the input variables.

The group of Boolean equations has to execute the computation of thestate conditions of wayside equipments in a way corresponding topredetermined operation modes that are coded in functional behaviourtables of the plant, so-called condition tables. The device according tothe present invention has to emulate the functional behaviour of arailway plant, that is a vital computer railway apparatus. Suchemulation allows to verify the control and command logical programexpressed by the formalism of the Boolean equation system as if theverification is executed on the real plant itself. And this occurs bothwhen the plant is in correctly operating conditions and when there areanomalies of one or more wayside equipment.

The device according to the present invention as shown in FIG. 2includes a computer memorizing a test and simulation program and hasinterfaces to data and/or commands inputting means, display means,connecting means to remote apparatus, such as the station apparatus withvital computer, remote computers for executing collateral procedures andso on. The emulation program includes several routines and inparticular:

a routine to execute the Boolean equations that composed the programitself;

a routine to configurate input or initialization variables of Booleanequation system, that is the setting of operation backgrounds of theplant;

a routine to display the graphic image of the plant and of operatingunits included therein and which provide an image of operating unitsthat is different for each of the operating states that can be assumedby the operating units or wayside equipment and which graphic image isunivocally connected to said state or said operating condition of thewayside equipment, as well as to other collateral routines that completeand simplify test actions.

The plant simulation occurs by generating a virtual model of stationplant wherein the operating and/or structural elements of the plant areunivocally identified and whose functional behaviour is restored byBoolean equations.

The physical structure of the system is defined by associations of saidstructural or operating units that describe and/or display therespective arrangement in the plant diagram and define which operatingunits have to work together.

As it will be noticed more clearly below, the operating units, i.e.wayside equipments, are described by output state variables so-calledcontrol and that describe the operating condition of the unit or waysideequipment and by variables for maintaining and/or modifying the inputstate that indicate if the operating unit has to change state or not andtowards which state the transition has to occur.

To generate the virtual model of the railway plant, the device accordingto the present invention provides not only the simulation of thefunctional behaviour of wayside equipments in the shape of logicalprogram in the form of Boolean equations, but also the graphicrepresentation of the wayside equipment. Such graphic representationcomprises several predetermined graphic aspect options of the waysideequipment, each of them corresponds univocally to an operating statethereof and is associated to one of the predetermined values that areassumed by the state variables of the simulation logical program of thewayside equipment or to a predetermined value combination of two or morestate variables provided by the simulation logical program of waysideequipment. Obviously, the graphic aspects of the wayside equipment willbe schematic reproductions of the wayside equipment aspect and theseveral aspects corresponding to the several operating conditions ofeach equipment are different one from the other so as to reproduce asmuch as possible the real modifications of the aspect of waysideequipment in various operating conditions.

Advantageously the device according to the invention may also comprisetools for modifying and/or generating simulation logical programs ofwayside equipments and/or of the graphic aspect for representing saidequipments in various operating conditions. These can be memorized andthen recalled as generic routines that assume a specific and unique rolein a predetermined plant diagram by means of defining univocalidentification names and univocal relations or functional associationswith other wayside equipments or other structural elements of the plantas well as with corresponding arrangement relations in the spaceregarding the placing thereof in the graphic representation of theplant.

Obviously, as results from FIG. 1 the plant can operate also in directcombination with units generating the control and command logicalprogram and/or with the real vital computer station apparatus and thereal railway plant, being a non-vital node of a connection network withsaid units.

Therefore, referring to FIG. 3, the device substantially is aworkstation based on a personal computer. Advantageously the preferredoperating environment is Windows NT® environment upon which the specificdevice simulating software is set up. Said choice of the operatingenvironment is an advantage as Windows NT® environment and its basicfunctionalities are broadly known. Therefore the operating environmentis structured as to display several work windows, comprising the stationor plant diagram, while the user is working on configuration and/orcontrol elements of the simulation device itself. By means of onemonitor and preferably two monitors the user can see directly theselected functions or set actions, as the main simulation logicalprogram and the graphic management program interact therebetween.

The auxiliary display is controlled by the desktop extension functionsalready provided in Windows® environment.

The software of the device is made as a typical Windows® application andtherefore it employs typical tools of the operating environment. Herethe specific sphere of all the possibilities and of the window structureof Windows® is not considered since this is part of a basic common andwidespread knowledge.

To execute the checking by means of simulation with the device accordingto the invention it is necessary to make several starting activitiescomprising the following steps:

generating the graphic descriptive file for check means;

checking said graphic file;

generating Boolean equations whose system is the core of the control andcommand logical program;

possible generating of the conversion table;

possible generating of the coded condition table;

possible generating of text files so-called batch commands.

The checking activity of the command logical program uses check meansthat are generally known.

The check program by means of railway plant simulation comprises thefollowing data:

File with Boolean equations that describe a station or an area to bechecked;

Graphic files of the station or station or area o areas to be simulated;

Possible files containing the conversion table;

Possible files containing condition table and possible text filescontaining batch files.

As the result of test is provided an output report file that can be usedby the user and/or memorized. During the test execution, the dynamicoperation of the railway plant may be controlled both real-time and incase later and this by means of the display of alphanumeric messages orof state variable values and by means of the graphic representation ofthe plant itself.

The starting of the working session may comprise the generation of a newproject or the loading of projects already started. If it is a newproject one or more stations or plant areas have to be selected to usein the simulation.

After the loading and/or the generation of the project data it isnecessary to provide the device configuration. The activities to beexecuted to make the test by means of railway plant simulation are:setting of a system cycle time; definition of suffixes for each kind ofwayside equipment, definition of simulators of wayside equipments, thepossible addition of area to be controlled, association of equipmentsimulators to variables; definition of colours and states that thedrawing objects can assume, assignment of stats and colours to thedrawing objects.

As already said, there is also a command that operates directly on thegraphic diagram of the station or of the plant area to define equipmentstates and objects colours.

It is possible to activate control windows by selecting windows orobjects to be inserted in windows and/or to activate the command bar ifit is not already active. Obviously it is possible to make tests andsave the current state of the project. To this end, it is convenient tomake savings as the simulation situation evolves, saving always withdifferent names to not overwrite the old configuration. Eachconfiguration is re-loadable to start a new simulating step. During thesimulation it is possible to execute configuration batch filescorresponding for instance to different operation or configurationbackground of the plant or to different commands.

The device can be completely managed by a remote workstation by means ofa command and remote connection module, particularly by means of networkprotocol and more preferably by means of TCP/IP protocol.

The user may end the check process by simulation at any time withoutloosing the work already carried out, by saving the project. Projectmeans all files generated before the test process and all filesgenerated during the configuration and simulation steps thereof.

FIG. 4 shows an example of a screen showing what appears on a monitorduring a test execution.

The first screen that appears by starting the system is substantiallysimilar to that of FIG. 5. A window wherein the top 10 allows to managethe application is opened, whereas the window 11 is the command bar forthe simulation. This second window can be shifted by highlighting thetop band and dragging it in a location useful for the user.

Directly below the main command line 110 (file, Views, etc.) a quickbutton bar is displayed to activate quickly some commands.

The meaning of buttons will be disclosed in sections that deal with thecommand itself.

Moreover a help command or button is provided which activates a helpmenu by which it is possible to enter or consult a guide file. The guidecan be of interactive type or on line analogously to Windows®environment. Analogously to this environment once activated the command,a window of the guide appears from which it is possible to selectdisplay, printing options and so on.

File command in the command bar 110 allows to start a new project or toopen an existing one, to save the current project and to save thecurrent project and exit the application. The command options of filecommand are accessible by means of a typical drop-down menu which listsall the command options and it is possible to select the desired commandtherefrom.

Some or all the commands can be personalized and transformed by creatinga routine in any kind of quick activation buttons.

Quick button 210 allows to start a new project, in order to define thewhole background of a simulation, that is to define the stations to beexamined, control windows which are desired to be activated, variablesto be displayed, display modes, as for example the window aspect,colours, intermitting colours, displays with numerical wave-forms or ofother kind.

If a project is already loaded in the device, the user is asked to saveor eliminate the project by a communication window having commandbuttons for executing the above several options.

In order to save a loaded project it is possible to use thecorresponding command of “file” menu or to use the save quick buttonindicated at 410.

When loading, the program controls syntax and semantics of configurationfiles and of graphic drawing file of the plant, of the areas thereof andof wayside equipments. Moreover, the simulator modules are identified,i.e. simulation programs of operating units, i.e. of wayside equipmentsand graphic display modes of wayside equipments or operating unitstates, such as colours of graphic objects of the drawing. When saidfiles include an irreparable error, the device does not load the filethat has errors. Errors are listed in a summary box of a windowdisplayed for each plant, station or plant area.

The finishing function is ended when the operator sends a confirmationand the result of loading is the opening of two windows 10 and 30 asshown in FIG. 6. In addition to the main window 10, is generallydisplayed even the control window 30 and the graphic layout of the plantor of the station or of the loaded area.

The loading of a project provides displaying of following data:

Name of the plant or of the station or of the area, number of variableswhich are included in equations describing the plant or the station orthe area, number of Pterm, i.e. product terms obtained in the Booleanequations, of the plant, or of the station or of the area, the variablecovering, i.e. the percentage of variables processed with the proceedingof the simulation and the covering of Pterm, i.e. the percentage thathas been processed with the proceeding of the simulation.

The quick button 510 provides the closing function of a project. Projectmanagement menu that is accessible from the command bar 110 of window 10makes available two commands that are Add Station/Area and CancelStation/Area commands. To these commands quick command buttons areassociated which are indicated at 610 and 710 in the quick button bar.

Add Station/Area command or the corresponding quick button 610 allows toadd a new station or a new area to the project that is already loaded inthe memory.

A dialogue window is displayed for specifying the Station/Area. The usercan specify filenames belonging to the station or to the area that theuser must type in a field of the dialog window. Instead of typing thename, the user can use a searching means which is accessible by means ofa searching button. In this case a window is opened wherein savedstations or areas are displayed. With pointing means, the user canselect and load the desired stations or areas among these in the list.It is also possible to select the format of graphic files that containthe station or area graphic drawing for example a CAD or TGIF file type.

By the “layout” button the user can specify the particular filesconstituting the station or area graphic drawing. Depending on thedrawing format, a dialog window is opened to specify the correspondingstation or area. In the predetermined field the user can indicate thedrawing filename for example in CAD format. An auxiliary CAD file fieldallows to specify a file containing further graphical symbols to benaturally joined with the CAD drawing. When the selection ends, theprogram loads the station or zone configuration file and the station orzone drawing files. During the loading, files are syntaxly andsemantically controlled. If files have irreparable errors, the systemdoes not load files containing errors. The program lists errors in asummary box. If a serious error occurs in the configuration definitionfile, the station or the area will not be made in the memory. If theloading is properly ended, the station or the area is made in the memoryand the graphic drawing appears on the screen.

It is possible to execute the action of eliminating a station or an areafrom the project by means of Cancel Station or Area command or by meansof the corresponding quick button 710.

The command bar 110 provides the additional “configure” command. Thiscommand provides the possibility of choosing between several options ina menu. A first option is the cycle time definition command. Even forthis command a quick button is provided indicated at 810 in FIGS. 5 and6.

The logical program for controlling and commanding a railway plant,particularly a vital control station apparatus, executes the reading ofcontrol signals provided by wayside equipments and the sending ofcommand signals according to a cyclic operation. Typically the wholetransmission and processing reading cycle is executed in about 500 ms.In each cycle the Boolean equations which formed the control and commandlogical program are recalculated. In the program of the device accordingto the invention, the user can set any cycle time corresponding to areal number. To this end, the quick button 810 or the menu command causethe opening of a window for setting the cycle time wherein it ispossible to specify a cycle time.

The “Configuration-Modification suffixes” command, allows to determinethe suffixes. It is an important act-ion since suffixes determine thebehaviour and the semantic meaning of Boolean variables in the systemconfiguration file, that is equation file. A wrong suffix definition maycause an irreparable error during the processing of the systemdefinition file and this error disables the management of correspondingstations or areas or wayside equipments, i.e. of operating units.Suffixes have to be defined in compliance with similar definitionsincluded in the system definition file, that is in the data file fromwhich system EPROM memories are programmed. Settings of suffixes areexecuted with the help of a dialog window.

It is possible to use a box for modifying the suffix to specify suffixname. The name can include block letters. A “Type” drop down menucomprises all possible types that are available and selectable.

Suffix meanings are:

Input: It is possible to use variables of “input” type only on the right(element of a product term) of a Boolean equation into the systemconfiguration file. When reference is made to a variable of “input” typeon the left of a Boolean equation, as a result the program points out anerror during the system definition file loading.

Output: Variables of “output” type have to be used on the left of aBoolean equation only once. When reference is made to a variable of“output” type on the right of a Boolean equation or more than once onthe left thereof, the program points out an error during the systemconfiguration file loading.

Current cycle: It is possible to use variables of “current cycle” typeon both sides of a Boolean equation. A reference to the variable ispossible only once on the left and so many times as desired on the rightof equations which are successively calculated in the same cycle. If theuse of a variable of “current cycle” type does not comply with the abovenorms, the program points out an error.

“Subsequent cycle”: It is possible referring to variables of “subsequentcycle” type on both sides of a Boolean equation. These variables may beplaced on the right of an equation (term) at any time. If a referencehas been made to such variable on the left of an equation (result) it isnot more possible to use it on the right i.e. in equations executed inthe same processing cycle but calculated successively.

Shared input: “shared input” variable type is similar to “input” typehaving the only difference that the program updates these input valuesby using suitable “shared outputs” of other areas or other equipmentsafter each calculating cycle.

Shared output: “shared output” type is similar to “output” type havingthe only difference that the program employs values of these outputs toupdate suitable “shared inputs” of other areas or other equipments aftereach calculating cycle.

Timed: “timed” type is similar to “current cycle” type. The differenceis that the variable associated to “timed” type will be true if theequation calculating it is true and the delay time that is specified forthe variable is expired, starting to count when the starting equationbecomes true. If the variable associated to the timer has beenpreviously calculated as true and the equation associated thereto is nowcalculated as false, the value of the timed variable will go immediatelyto false without any delay. An equation used to calculate a variable of“timed” type must be preceded by the definition of a delay, as indicatedbefore with reference to the command for setting the system cycle time.The program point out an error if a delay for an equation of a non“Timed” type has been specified or if an equation of “Timed” type is notpreceded by a delay specification.

Blinking Output FLS: this type of variable is equivalent to the “Output”type. The equation that calculates the value of a variable of “BlinkingOutput FLS” type must be preceded by an equation calculating the valueof a variable defined as “Output”. If equations do not meet thiscondition, the program point out an error.

The command bar comprises an additional command called “Configure-Addequipment simulator”. Analogously to other commands, also this commandcan be activated by a quick button indicated at 910 in figures. By thiscommand it is possible to define a physical equipment or operating unitsimulator. The definition of physical and logical equipment simulatorsconsists in defining a model that is made in three steps:

defining a name for the new simulator;

interface specification;

designing the behaviour;

A window is activated an example of which is shown in FIG. 7. The windowallows the selection of simulator name. The name may be typed in asuitable box of the window. An add button allows the addition of thespecified name to an existing simulator list and at the same time itopens a dialog window for defining interface and the window of the truthtable for the new simulator. If simulators having the same specifiedname already exist, the program denies the action and it opens a dialogwindow with an alert text to inform the user. By a modify button theuser can modify existing simulators. Modification function allows themodification both of the simulator name and the content. The programallows to modify more than one simulator at the same time.

For removing a simulator from the simulator list it is possible to use acancel button which will remove the simulator whose name has beenhighlighted in a selection dialog box.

As regards the simulator interface constituting the second step fordefining each simulator, this is composed of a form set and ofcorresponding alias, types and functions. To specify the interface adialog window for defining the interface is displayed as illustrated inFIG. 8.

The user can specify a form by using a “modify” command button providedin said dialog window. This form is used to identify the variable rightname during the simulator-variables association. A form can includeparametric or constant components in arbitrary order and depending onthe syntax of the form itself. The form definition is an obligated step.Alias is the form short name and it is used to identify the form in thetruth table of the simulator. Alias name has to be defined in an aliasbox in the interface definition dialog window and this namespecification is necessary.

The form type substantially describes variable rule which arerepresented by the form in the simulation. It is possible to select theused type with a “type” option box.

The variables types are:

Parameter: the parametric type variables represent the outside simulatorinterface. The equations of the vital computer station apparatus controlthe simulator by using these variables, if they are defined as “inputs”.If variables are defined as “outputs” this means that they are used asequation input variables of the control and command logical program todetermine and to update the system state.

Control: Such variables are used to control the simulator behaviour.These variables are associated to buttons to offer the user an interfacethat allows to modify the simulator behaviour during the simulation orto simulate possible failure situations. Control variables may haveinput or input/output attributes. The output attribute is not inhibitedbut it has no meaning in the case of control variables. Variables with“input” attributes are associated to a button that is pressed byclicking with the mouse and released with another click. If a variableis provided with input/output attributes both the simulator and the usercan set the button state. For example the user clicks on a button toactivate it and the simulator can release it after some action cycle.The form associated to “control” type can include only constantcomponents.

Local State: “local” type variables are used to memorize simulatorinternal states. That is to say that this kind of variables allow todefine a sequential behaviour and not only a combinatorial behaviour.These variables are not visible from the simulator outside. Thesevariables may have only input/output attributes. The form associated tothe local type variable may include only constant components.

Input and output attributes may be selected by using an “input/output”option box.

After having specified form alias, the type and “input/output”attribute, the user may add these information in the interface by an“add” button command. Both the specification of the alias and thespecification of the form are obligatory and must be univocal.

It is possible to modify the specified attribute group such as form,alias, type and “input/output” by a selecting action in the dialogwindow list and by using a “modify” function button. Analogously it ispossible to remove a specified attribute.

The third step for the simulator definition comprises the functionalbehaviour design. To this end the program is provided by a window with atruth table (see right side of FIG. 9). This window is automaticallyopened when the user defines that the addition of a new equipmentsimulator is desired. The truth table is divided into two partsseparated by a thick vertical line. The left part of the truth tablerepresents the simulator current states, while the right part is thesubsequent state. The table includes a column for each variable definedin the interface. Variables with “input” attributes appear on the left,while variables with “output” attributes appear on the right. Variableswith “input/output” attributes appear on both sides. The table headerincludes variable alias names.

This representation allows to design both sequential and combinatorylogic which functions for model the simulator behaviour. If a userdesigns a sequential logic (i.e. a logic including “input/output”attribute variables) on the left side appears Markov logic model.Circles represent logic states, while arcs are transitions. Positioningon arc arrows, the program displays the possible input states to startthe transition and the output states set during the transition. Thewindow structure is shown in FIG. 9.

In the case of a new simulator, the right side of the truth tableincludes “+” characters representing a not initialized state. The usercan overwrite the values in the cells of the right side (outputs) byclicking on a cell with the mouse button. Practically this means todefine that determined output state when input conditions appeared (leftside of truth table). The table of FIG. 10 sums up value meanings thatcan be assumed by each single cell of the truth table.

“*” value is a cell value not initialized.

“X” value means that if said value is given to a cell on the right sideof the truth table, in the same row even all the boxes of the left sidewill have “X” value. This means that the state identified by thecorresponding row is not available. Practically this is a combinationthat is not admitted or used during the simulation.

“0” value means that when input conditions in this cycle are verified,next cycle output will go to “0” value.

Analogously the “1” value allows that in the subsequent cycle the outputwill go to said “1” value.

In order to help the user the window offers further functionsillustrated in FIGS. 11 and 12.

It is possible to enter functions not only by menu commands but also byquick buttons, as will be described hereinafter.

Modify-Parameters command can be executed also by the quick buttonindicated at 20 in FIG. 9. This command closes the interface definitiondialog window. When the dialog window is closed it is possible to openit by clicking on said button or by using the command.

Modify-Copy command or the quick button indicated at 21 in FIG. 9 allowsto select and to highlight any square area of truth table using themouse as selection and activation tool. The selected area can be copiedin note file.

Modify-Paste command allows to control the content of noted in aselected area. The selected area has to correspond in size to the areathat has been memorised in notes.

Other commands are accessible in this step. For example the user canmodify colours whereon selecting, modifying character fonts or tasklayout fonts.

The Association function of equipment simulators to variables allows toassociate the simulators defined in the system to a suitable variablegroup. Such function is activated by means of DeviceConfiguration-Definition command or by means of the quick buttonindicated at 1010 in FIGS. 5 and 6. To create a link between a type ofsimulator and logic variables associated thereto the user has to specifythe station/the area or the equipment to which it is applied, the typeof simulator and the label of the wayside equipment or of the command tobe simulated. To help the user it is possible to select theseinformation by using option boxes of a dialog window. Option boxes allowto load the name of the area, of the station or of the equipment alreadydefined, the defined simulator type and, if there are loaded drawingfiles, the label included in graphic objects of drawings. Even if theprogram prompts the possible information, the user is free to type anydesired string. Such possibility allow to specify simulators which willbe realized later, to make reference to a non-loading station and tospecify the objects to be simulated which have not a graphicrepresentation in drawings.

The association between variables and simulator occurs during theproject loading process that is made after pressing the close command.If the loading process is not capable to carry out the desiredassociation, the program points out an error and displays a message intothe loader dialog box. These association errors do not prevent thesimulation that can goes on with valid associations. The identifyingstring may include one or more labels separated by a “,” character. Theidentifying string has to correspond to forms defined in the interfaceof the associated simulator. The program prevents the multipledefinition of a descriptor by displaying a proper error message.

The definition of colours and states of the drawing objects occurs bymeans of the Layout Configuration command in Configuration menu or bymeans of the quick button indicated at 1110 in FIGS. 5 and 6.

The state and colours of a graphic object that represent a waysideequipment, an area or a station, are determined by a variable groupdefined in the station/area configuration file. The variable group isdescribed by using a form for each variable of the group. These formsare used to find variables during the step of “assignment of state andcolours to the drawing”. As in the equipment simulator definition, it ispossible to define the state and the colour of drawing objects in threesteps:

Type of graphic objects included into the drawing;

Specification of interface, to be done for each element that has beenadded or modified during the preceding step (type of graphic objects);

State and colour of the drawing objects, to be done for each interfaceof the preceding step.

Therefore the first step is the specification of graphic objects typesincluded into the drawing. To this end by activating theConfiguration-Configuration Layout command or by pressing the 1110button, the program displays the dialog window illustrated in FIG. 13.

The user can type the name of new definition of graphic object in the“Type” modification box of the dialog window. The subsequent steps fordefining the interface and for defining colours occurs by adding andmodifying elements.

When the modification option is activated, by means of a correspondentbutton, two new dialog windows are opened shown in FIGS. 14 and 15respectively and which windows allow to modify or add graphic objects.

The interface specification occurs during the second step for definingthe state and the colour of objects. The interface is a variable groupto determine the current colour state of graphic objects. It is possibleto define the variable group by using the dialog window illustrated inFIG. 15. The user can specify the variable name in the provided box byusing the same syntax of which it has been already said discussed.Analogously to what has been already described more times referring toother functions, the dialog window has various buttons among which theAdd button. In this case, such button causes a routine to add thespecified for into the variable form list. The program controls the formfrom a syntax perspective. Moreover, the program removes the wrong formand sends an error message that is displayed in the message area. Theprogram prevents using suffixes which are not defined in forms.

After the interface specification, it is necessary to define the stateand the colour of the drawing objects. The user can specify a statetext, an outline or filling colour for graphic objects of the drawing byusing the table of FIG. 15.

The window which can be resized to the maximum screen size includesvariable list (forms) of the first row (header). The table, as alreadysaid, is divided into two parts separated by a thick vertical line. Theleft side of the table includes state table that can be scrolled by theunderneath cursor or individually if the state table is bigger than thewindow, whereas the right part includes coloured signalling and theassociated text. The user can specify form states by clicking on a cellwith the mouse, the program displays a summary box for selecting thecell value. Entries of state summary box are:

“0”: this entry set the variable form on false.

“1”: this entry set the variable form on true.

“X”: this entry removes the whole row containing cells that have beenactivated by the mouse.

It is possible to add a new row to the definition table by clicking withthe mouse on a cell of the first empty row in the state table. In thiscase, the program displays the same above state table, but the selected“0” and “1” values are used to initialize the whole row. If the row hasbeen initialized is than possible to set the desired values for eachcell of the row as described above.

On the right side of the window are indicated the selected colours forthe signalling. It will be noted that each box is a square with aninternal colour and an outline or frame colour, both colours beingalterable. For each row that has been filled in the table, it ispossible to define a colour for outlines, a filling colour and a stateindication text. After having defined a row, the program assigns thepredetermined colour and state and displays the colours and state intothe two columns on the extreme right of the table. The predeterminedoutline colour is intermittent light grey, whereas the filling colour isintermittent dark grey and the predetermined state text is “no definedstate”.

It is possible to modify the outline colour by clicking on the thickedge of the colour definition square in a row. In the same way it ispossible to modify the filling colour by clicking with the mouse on theinternal square of the colour definition square. To modify colours adialog box is displayed. Even the flashing attributes may be modified ina analogue way as hereindescribed by using the mouse and clicking withthe right button on the section that is desired to become flashing. Theflashing is ended by repeating this action. It is also possible tomodify the state text by clicking with the mouse on the text to bemodify in the extreme right column of the table.

According to a further characteristic of the device of the presentinvention, the device may comprise means for connecting to a network forthe connection to workstations or to other remote devices. The networkcan be realized according to various protocols. The network protocolthat is generally used is the TCP/IP protocol due to its greatspreading. The remote unit can be used to control the device and also toload and execute pre-existing simulation command files that have beenpreviously written. Said command files called “batch files” can be alsodirectly loaded in the device by means of proper and known readinginterfaces, as for example files that are memorized on floppy disks,CD-ROM, or the like.

However in both the above cases it is necessary that batch file commandsare translated in a language that can be executed by the application ofthe device according to the invention. To this end a translate table isprovided called conversion table. This one is offline written and mustbe loaded in the device according to the invention before executing thebatch file or before executing the connection and the command from aremote workstation.

The condition table selection command allows to select a Condition tableindicating the path. A dialog window is opened as the one illustrated inFIG. 17. The Condition Table file path can be directly written or asearch function can be activated by means of a “Search” button providedin the dialog window. When the Condition Table file is found, byselecting this file it is possible to confirm its loading by means of afunction button provided in the dialog window.

Advantageously the Condition Table file is structured with a structuresimilar to that of Windows files .INI. FIG. 18 illustrates the basis ofthis structure.

FIG. 19 comprises an example of a Condition Table file. In order to makethe information intelligible by the Boolean equation system constitutingboth the control and command logical program to be tested and thelogical simulators of the wayside equipments, of stations and/or of theareas, the condition table substantially includes the behaviour rules ofthe plant, that are rules for assuming the several operating states ofwayside equipments in predetermined operation condition.

As already said before, the device allows not only to check the finalbehaviour of the control and command logical program on the station orarea reproduced by Boolean simulators, but also to check the internalbehaviour of equation system. This occurs by means of control windowsthat can be defined in relation to the number by the user himself. Theuser can assign any desired variables to each single control window. Theprogram of the device keeps a chronology for each variable to allow theuser to recall the preceding states by using control windows. The toolused to define control windows is a tool called “Views”. Such toolallows the opening of a menu that comprises various options. An optionis the Add Control Window command. The command is also accessible by aquick button indicated at 1210 in FIGS. 5 and 6. This command allows toopen a new control window. For each new control window it is required tospecify a name that must be univocal and for the name definition a newdialog window is opened. A typical control window is illustrated in thefigure and where it is indicated at 30. An open control window has atoolbar that functions to set variables to be displayed moving insidethe chronology. Analogously to what already described before in othercases, commands are always accessible alternatively by a choice in adrop down menu or by means of quick buttons.

Add variable command or the quick button 130 allow to select variablesto be controlled. It is possible to pre-select variables to be displayedby using a search dialog window.

The search dialog window provides various button that allow to performfunctions such as to cancel the selection, to add a selected variable,to cancel one or more variables and to confirm the selected variables inthe control window. It is also provided a button for cancel the currentselection process.

By the Cancel Variable command or by the quick button 230, it ispossible to remove a displayed variable from a control window. Even inthis case, as in the preceding command a dialog window is displayed toexecute the command and this window has buttons for activating specificfunctions such as Cancel, Cancel all, Close.

The Display Wave/Numerical Form command or quick buttons 330, 430 allowthe selection of wave or numerical display modes of variable/variableswhich are displayed in the control window.

Analogously it is possible to provide commands or quick buttons toscroll or browse among the various possible control windows that aredefined by the user.

The Cancel Control Window command or quick button 1310 cause thecancellation of a control window. In this case a dialog window isdisplayed wherein all the opened control windows are listed and amongwhich it is possible to select the control window or windows to beeliminated, the cancellation being possible by means of a “Cancel”button.

A further command is the simulation command named View_Activation ofcommand Bar. The command bar can be activated and disabled by thiscommand that is available also as quick button indicated at 1410 in FIG.6. To give commands to the simulator, the program displays a controlwindow that is illustrated in FIG. 20. The control window is composed ofa toolbar for commands and an area for messages, to display commands andmodifications during the simulation execution. Quick commands in theshape of quick buttons are also available, drop down menu commands arealso available for these commands as already provided for othercommands.

By the simulation Mode command the user can select various options in adrop down menu. Among these options the following are important:

Single cycle option, that can be activated also by means of quick button40. This option allows the execution of a single calculating cycle.After the execution the program automatically updates the message windowand/or window/windows comprising the design/layout of the station or thearea according to the new state.

Continuous cycle option accessible also by the quick button 41. In thiscase, the program starts to calculate in a continuous way cycle aftercycle. During calculation, the message window and/or window/windowscomprising the design/layout of the station are automatically updated.

Multiple cycle option. Even this option can be activated by a quickbutton 42. It is possible to specify a certain number of cycles to becalculated continually. The specification of the number of cycles ismade by a dialog window wherein it is possible to indicate the desirednumber of cycles.

The calculation can be stopped in any moments by a stop command or aquick button 43.

Finally there is also a batch command or a quick button 44, with which abatch file is loaded and executed comprising an already madepredetermined sequence of commands. The batch file execution is similarto a macro execution. As already said before, batch file commands haveto be translate by a conversion table and must have a predeterminedstructure. Batch files can be edited by means of a text-editor such asWrite® or Word-pad®.

The Image file Generation command or the quick button 45 allow tomemorize the current state of simulation in a file so-called “snapshot”.Snapshot file is saved by the user command with a name suggested by theprogram and including the date and the current hour.

The Reload Image file command or the quick button 46 allow to restore aspecific simulation situation by calling up a snapshot file previouslymemorized. Obviously to select the snapshot file to be call up theprogram displays a dialog window wherein it is possible to select thedesired snapshot file and open it.

By a restart command or a quick button 47 it is possible to restart thesimulation. After a restart all the equation system variables and thesimulator are set on value “0” and the cycle counter is reset. To startagain the simulation it is necessary to execute a reset sequence of thenormal state of wayside equipment simulators.

The User Commands command opens a drop down menu that allows to accessthe Commands Management and Variable Value Definition functions.

The command management can be call up also with a quick button indicatedat 48. By this tool it is possible to modify simulator behaviour of eachtype of equipment (both physical and logic) by using the buttonassociated to the control variables defined during the simulatorconfiguration of equipments. To access the proper button the programdisplays the dialog window illustrated in FIG. 21. The list on the leftof the dialog window includes the existing types of simulators. The usercan display the simulators in the list of the dialog window by clickingwith the mouse on the selected type. Simulators are identified by thefirst element of identification strings that has been specified duringthe simulator-variable association described before. It is possible tocall up control buttons by clicking with the mouse on the desiredsimulator and by pressing a “control” function key.

In alternative, by the user command menu it is possible to select theVariable Value Definition command. Also this command may be activate bya quick button indicated at 49. This command or this tool allow to setmanually the variables used in the simulation. To select the variable adialog window is display as the one illustrated in FIG. 22.

The dialog window is very similar to the one used to select variables tobe controlled. The selecting procedure is similar to that of “control ofvariables”. To set the desired or proper value it is possible to use twochoice options located in the bottom corner on the right of the windowand selectable alternately “True/False”.

The button indicated at 50 allows to activate the remote connectionprocedure to a remote unit.

According to a further feature and referring to FIG. 4, the state andcolours of a graphic object in the layout of a station or of a zone orof a plant may be modified simply by clicking with the mouse on thegraphic object in the drawing.

The example that takes cue from FIG. 4 uses the signal 05d circled inblack and placed on the left side of the illustrated layout. The programdisplays a dialog window to set colours and state.

In this window is provided a “label” field containing the internal labelof the graphic object extracted by the corresponding TGIF or CAD drawingfile. The user cannot modify it. The content of this field is used tosolve the “0” parametric components of forms. An “Auxiliary String”modification box allows to define the parametric components of forms.Each parameter must be separated by the “,” character. The parameterindexing starts with 1, referred to the elements comprised in theauxiliary string. The string specification is not obligatory.

Additionally it is possible to use an “alias” modification box tospecify the alias name of the specified object. The alias name is usedto replace the label extracted from TGIF or CAD file when the programlists, in the command window, the objects that are changing their stateduring the simulation. In this modification box it is possible to inputany character. The specification of alias names is not obligatory. Theprogram prints the original labels in the command window when alias arenot specified.

A “Type” list contains the colour and state tables previously defined.The user can select one of these. If the object has already a definedcolour and state table, the list automatically highlights the current“type”.

It is also possible to set the assignment for a graphic object byclicking with the mouse on a confirmation button. The setting of newcolours and state occurs after the subsequent simulating cycle. If formsof a specific type cannot be found by using a specific label and theauxiliary string, the program sends an alert message and ignores theassignment.

Analogously to other functions already described, the dialog windowcomprises or may comprise other function buttons with a Cancel buttonthat allows to cancel the assignment or Cancel that allows to ignore theassignment.

Referring to a further advantageous feature, the device according to theinvention may comprise also a function for executing different automatictest backgrounds both on Boolean simulator tool and on the tool used forthe final functional test of the plant. Obviously, the execution of thisfunction allows the opening of a window that allows to select commands,options or to select graphic or control objects, analogously to whatpreviously described for other functions.

With the starting of graphic interface constituted of said window, listsfor selecting areas, type of equipments of the station plant aredisplayed together with corresponding data relevant to the station undertest. The user must select an element inside each lists i.e. an area anda type of equipment. Now, the program provides to display valuesrelevant to the equipment list of the selected equipment type of theselected area and the list of automatic tests which are available forthe selected equipment type.

The user has the possibility of selecting one or more elements from theabove lists i.e. selecting one or more equipments upon each of them oneor more automatic tests can be executed. In each lists to each selectioncorresponds the display of the selected element in correlated lists. Thecorrect selection that has been made respectively of an area, equipmenttype, equipment label and of the test label allows to start theexecution of the test by means of a “Launch Test” button. The user isasked to confirm the test execution in a dialog window. If the responseis affirmative, in the text box identificating the sigma “executiontest” will be displayed the label of the current test and of theequipment that is object of the test, while in another list of thegraphic interface will be displayed report messages.

After starting an automatic test, the button “Launch Test” label changesin “End Test”, giving the possibility to stop in any moment theautomatic test. After the stopping of a test, the button label changesagain to “Launch Test” state. It is also possible to executeindividually a single command.

An example of automatic test background is shown by the correspondingreport file enclosed to Al to A4 pages. The test is called “switchpoints on route (on routing)”. During the test the covered switch pointsof a route firstly are locked in opposed position with respect to theone expected by the route itself. Then the test background, bycommanding it more times, checks that the route does not block until allswitch points are free. It should be noted that the complete testexecution provides a series of other actions that are not subject of thepresent invention and that are not quoted for shortness reasons.

Referring to FIG. 1, the device according to the invention may be usedin conjunction with another device called Boolean validating or checker.

In this case it is a hardware/software device, i.e. a computer or apersonal computer that can be even the same computer of the deviceaccording to the present invention and wherein a program for executingthe check of the control and command logical program is loaded, i.e. achecker of Boolean equations. The check program may be of the typeoperating according to a diversity principle. Particularly the Booleanchecker may be composed of a comparator executing a comparison betweenthe command and control logical program, which is in the test step inthe device according to the invention, and a further control and commandlogical program which has been generated by generating means differentfrom that during the test step. It is possible to execute the comparisonboth regarding the Boolean equation system of the two control andcommand logical programs and regarding the results of the simulatingtest executed for both the programs.

In case, even the programs simulating operating units, i.e. stationequipments, areas or stations may be subjected to a similar diversitytest with the help of the Boolean checker.

According to a preferred type of checker this is composed of anindependent program that is executed on a different computer or on thesame computer of the device according to the invention. This programexecutes in parallel the test of the Boolean equation systemconstituting the control and command logical program that is subjectedto the check. In this case, the same logical program for controlling andcommanding the railway plant is subjected to a dual check test by meansof railway plant simulation according to what described above with twodisjoint programs and the behaviour of the simulated plant obtainedunder the control of the control and command logical program in the twodisjoint and parallel check tests is compared, error or alert filesbeing generated in case of differences.

According to a further feature of the invention, for each of the Booleanequation of the equation system that compose the logical program forcontrolling and commanding the railway plant, it is possible to displayboth a list of product terms that are part of the displayed equation andthe circuit corresponding to said displayed equation. FIGS. 23 and 24show the window for selecting equations and the window for displaying acircuit corresponding to one of said equation. The selection and theopening of the corresponding circuit can be activated by buttons or bymeans of the mouse.

According to a further feature of the invention, the device comprises aprogram for designing and generating Boolean simulators of equipments oroperating units that allows to generate new equipments with newbehaviours.

Equipments can be composed of basic components, i.e. components forsimulating a basic function and of complex components, i.e. a group ofbasic components operating in the sphere of an equipment simulatorhaving a more elaborate structure.

A basic component may be created or selected by a list of existingcomponents or crate. The basic component generating window issubstantially similar to the one of FIG. 9. Obviously in FIG. 9 it is acomponent already generated or close to the generation. Analogously towhat already said, a state table is generated wherein input variables,output variables, control ones and comments are defined. Variable valuesare selectable analogously to those provided for truth table and theprovided functions are similar. The automaton illustrated on the leftside of FIG. 9 (substantially similar to the one for generating theequipment simulator) is the Markov automaton, wherein states arerepresented by circles drawn along an horizontal line, by usingdistances calculated according to the description of the longer state.The description of the state is indicated by variables on the right ofthe circle, the state is composed by the local variable alias, thevariable assuming the “false” condition being illustrated with a mark onit. On the contrary, state transitions are illustrated by arcs goingfrom initial to final state and the direction of the state transition isindicated by an arrow upon the corresponding transition arc. By puttingthe mouse cursor upon the arrow of a transition arc are automaticallydisplayed transition conditions as one or more input, control and outputvariable group. Circle and arcs colours are given in a different waydepending on the configuration choices that have been set.

The individual basic components defined in such way can be combined orassociated therebetween to form complex components, being interfacedtherebetween by means of the indication of interfacing variables orinput and output internal variables.

It is also possible to display a block diagram of the structure of theequipment simulator as appears in FIG. 25.

It is clear from what disclosed before and as results from FIG. 1 thatthe device according to the invention may be provided also as a devicealways existing in the system for controlling and commanding plants as afurther non-vital node which can be activated both in emergency mode toexecute periodical checks of the control and command logical program aswell as backup unit or even as a device to modify and upgrade thecontrol and command logical program when the system is modified with theremoving or the addition of stations, areas or wayside equipments.

With regard to the device according to the invention it is generallyclear that it may be employed in any plant having structural analogieswith the described railway plant and that terms like station plant orplant area, operating unit and wayside equipment are similar terms.

1. A device for checking software engine for controlling and commanding a plant, the device comprising: at least a computer having at least a central processing unit and at least a memory for loading and executing programs; a logical engine for commanding the plant, the logical engine being loadable in the at least a memory for the execution of the logical engine, the logical engine providing control and command signals; a plurality of operating units capable of actuating detecting, measuring, and signaling, the plurality of operating units being further capable of receiving command signals and of transmitting control signals about the operating condition of the plant, the logical engine reading the control signals provided by the plurality of operating units and processing the command signals according to an operation protocol of the plant, wherein a plant simulation software is stored in the memory, wherein the plant simulation software is designed to be controlled and commanded by the logical engine, wherein the plant simulation software is loadable and executable by the at least a computer, and wherein the plant software simulation program simulates accurately the plant structure and the operating modes of the plurality of operating units provided in said plant.
 2. The device according to claim 1, wherein the plant simulation software comprises Boolean algorithms including variables, and wherein the variables are univocally defined to represent the control signals of different state and operating conditions of the plurality of operating units, and the command signals for commutating and maintaining the different state and operating conditions of the plurality of operating units.
 3. The device according to claim 1, further comprising means for displaying an image of plant behavior, wherein the means for displaying are controlled by the logical engine as variable lists univocally associated to the plurality of operating units as report files, and wherein the report files list one or more of the plurality of operating units and the associated state and command variables.
 4. The device according to claim 1, wherein the plant simulation software comprises means for setting starting operating conditions of the plant and means for simulating anomalous situations of plant operating units, in order to check the reaction of the plant to the anomalous situations.
 5. The device according to claim
 1. wherein a plant component is one of the plurality of plant operating units, a predetermined element of the plant, a predetermined area of the plant, to or the whole plant, wherein each plant component can be univocally associated to a virtual image, wherein the virtual image is generated by a graphic program loadable and executable by one of the at least a computer, wherein the virtual image is univocally correlated to the logical engine, wherein the graphic program is capable of generating several graphic aspect conditions of each plant component, and wherein each plant component is univocally correlated to a predetermined value of a variable relevant to the operating condition of the plant component and of a command variable for managing the operating state of the plant component.
 6. The device according to claim 5, further comprising a first program for simulating a relay operation and a second program for simulating a relay network operation, further comprising and graphic programs for representing relays univocally associated to the first program for simulating relay operation and to the second program for simulating relay network operation, wherein the operation of the logical engine is further represented as an equivalent command hardware logic comprising a relay network.
 7. The device according to claim 6, wherein each relay in the relay network is simulated by a logical program of Boolean type, wherein the relay network provides relay and commutation commands, wherein single state conditions of the relay and commutation commands are represented by state and command variables, and wherein the graphic programs for representing relays are such as to associate relay graphic aspects that are univocally correlated to values assumed by said state and command variables.
 8. The device according to claim 6, further comprising means for scheduling and configuring images and state and command variable lists of virtual operating units corresponding to the desired operational and state condition of the plant in conjunction with a predetermined operation situation, wherein means are provided for checking, directly and visually, a correct operation of the virtual operating units, wherein automatic check means are further provided comparing one or more of a predetermined nominal image, a nominal table, and a list of desired state and command variables in a virtual model of the plant with one or more of an image, a table and state and command variables that are actually processed during the operation of the logical engine, an error message being sent in case of non-identity.
 9. The device according to claim 8, further comprising means for displaying graphically and analytically which operating units have assumed a non-correct condition, and the corresponding state and command variables.
 10. The device according to claims 8, wherein the automatic check means are capable of analyzing the simulated representation of the relay network, indicating which relays have not been commutated in the correct condition and the corresponding commutation state and command variables.
 11. The device according to claim 8, further comprising means for automatically correcting the logical engine according to possible corrections made by a user to the state and commands variables, the state and command variables being manually modified because of a state and command error of one or more of a virtual operating unit and a relay within a corresponding command logical circuit situated in a virtual model of the plant and relay network.
 12. The device according to claim 8, wherein modification means provide modification interventions both of alphanumeric type, which modification interventions are executed on report files of state and command variables, and aspect interventions for graphically modifying the aspect of an operating unit and the relay, which aspect interventions correspond to the state of said operating unit and of said relay, and wherein analysis and interpretation means analyze state and command variable values that are manually set to correct any wrong values, analyze the logical engine, and modify the logical engine's code to commute an operating unit and a relay to the correct state condition, when an operating condition occurs due to which the logical engine had previously generated an error signal.
 13. The device according to claim 8, further comprising a Boolean simulation program simulating plant operations, further comprising means for associating operating units and plant structural elements so to generate and find areas of the virtual plant and further find the corresponding parts of the logical engine that have plant components that recur in a plurality of plants, and so as to load and reuse in new plants having equal components both the Boolean simulation program, the graphic display program, and parts of the logical engine.
 14. The device according to claim 1, further comprising means for connecting and interfacing with a validation and certification system that is based on a system different from the logical engine for generating command and control signals.
 15. The device according to claim 14, wherein the validation and certification system comprises an additional program for generating control and command logical signals generated and memorized in the validation and certification system, wherein the additional program is generated through means different from the plant simulation software, and are wherein the additional program and the plant simulation software are compared so to verify that the additional program and the plant simulation software are identical.
 16. The device according to claim 15, wherein the additional program and the plant simulation software each comprise a Boolean equation system, and wherein the additional program and the plant simulation software are compared by comparing the Boolean equation system the additional program and the plant simulation software.
 17. The device according to claims 15, wherein the additional program and the plant simulation software are compared by comparing command and state variables of operating units and relays of the virtual relay network, both numerically and graphically.
 18. The device according to claim 17, further comprising means for displaying, in a combined way, graphic images of plant state conditions obtained with both the additional program and the plant simulation software.
 19. The device according to claim 18, further comprising means for displaying, by an overlap, plant layout images according to the additional program and the plant simulation software, wherein the overlapping highlights the possible differences between the plant images generated by the additional program and the plant simulation software, and wherein the possible differences are graphically highlighted in a visually relevant way.
 20. The device according to claim 15, wherein two different comparison modes with a virtual plant are provided in the logical engine, the two different comparison modes comprising a first comparison mode having a Boolean equation system and a second comparison mode having report files, the result of the first comparison mode being means to identify plant conditions wherein a difference has been noticed and must be subjected to the second comparison mode.
 21. The device according to claim 20, wherein a comparison relevant to plant conditions obtained by the different comparison modes is firstly executed, and wherein it is identified on which parts of the program the comparison can be limited within the Boolean equation system, in order to determine where actions are possible to correct the program.
 22. The device according to claim 15, wherein the validation and certification system is capable of analyzing, based on diversity, logical programs for simulating one or more of a single operating unit, plant area, the entire plant, and a logical program for simulating a relay network, and wherein the validation and certification system is capable of extending the analyzing, based on the diversity, even to programs for graphically representing one or more of an operating unit and a relay.
 23. The device according to claim 1, further comprising a network interface, wherein the device comprises a non-vital node of the railway plant, and wherein the device further comprises means for quickly modifying the control and command logical program and for virtually validating the same.
 24. The device according to claim 23, wherein the device, is capable of operating as a diagnostic and supervisory tool of the proper operation of the plant, and wherein the device reproduces a simulated plant simulating the actual plant in a desired state condition, the device further comprising a comparator between the state condition assumed by the plant and the state condition assumed by the simulated plant.
 25. The device according to claim 23, wherein the device is capable of simulating emergency interventions before their applications to the plant, and wherein in an emergency situation it is possible to simulate several intervention and command possibilities to be executed on the plant, self thereby indicating the optimal choice among the intervention and command possibilities.
 26. The device according to claim 1, further comprising tools for executing simulating functions with a user interface of the type used by a desired computer operating system, thereby providing an operator with operating windows having function buttons, quick choice menus and other functionalities typical of said user interface, in addition to the use of a pointing system, selection and command input systems, and a keyboard to input numerical data, the operating windows providing graphic images of operating units, relays, and other parts of the plants.
 27. The device according to claim 1, further comprising means for setting specific operating conditions of the plant and anomalous situations in the plant, and further for checking the changes in operating conditions in the plant according to different operating environments.
 28. The device according to claim 27, wherein manually setting means are provided to an operator of the device, wherein the manually setting means impose, at the starting of the cycle for executing control and command signals, specific state conditions to the plurality of operating units, wherein conditions may be provided that cause one or more of the plurality of operating units to operate anomalously, and wherein the one or more of the plurality of operating units operate anomalously by operating incorrectly or by failing to operate.
 29. A method for checking a software logical engine for controlling and commanding a plant, the method comprising: using at least a central processing unit and at least a memory for loading and executing programs; for commanding the plant with a logical engine, the logical engine being loadable in said at least a memory for the execution of the logical engine, the logical engine providing command and control signals; receiving command signals and transmitting control signals related to the operating conditions of a plurality of operating units situated in the plant, the plurality of operating units being capable of actuating, detecting, measuring, and signaling; reading with the logical engine the control signals provided by the plurality of operating units; and processing the command signals of said plurality of operating units according to an operating protocol of the plant, wherein a plant simulation software is controlled and commanded by the logical engine is loadable in the at least a memory, wherein the plant simulation software is designed to be executed by the at least a central processing unit, and wherein the plant simulation software simulates accurately the plant structure and the operating modes of the plurality of operating units provided in said plant.
 30. The method according to claim 29, wherein the plant simulation software comprises Boolean algorithms including variables, and wherein the variables are univocally defined to represent control signals of different state and operating conditions of the plurality of operating units as well as command signals for commutating and maintaining the different state and operating conditions of the plurality of operating units.
 31. The method according to claim 29, wherein an image of a simulated behavior of the plant under the control of the logical engine is displayed as variables list univocally associated to the plurality of operating units as report files, and wherein the plurality of operating units and the state and command variables associated with the plurality of operating units are listed.
 32. The method according to claim 29, wherein a user is capable of setting the operating conditions of the plant at start-up, and wherein the user is further capable of setting specific conditions of the plurality of operating units, thereby verifying the reaction of the plant to the set conditions.
 33. The method according to claim 29, wherein a virtual image of one of the plurality of operating unit and of a plant structural element can be univocally associated to the plant operating unit and the plant structural element, wherein the virtual image is generated by a graphic program loadable and executable by the central processing unit, wherein the virtual image is univocally correlated to the logical engine; wherein the graphic program is capable of generating several graphic aspect conditions of one or more of the plurality of operating units, and wherein each of the plurality of operating units is univocally correlated to a predetermined value of variable relative to the operating condition of the operating unit and of a variable related to the operating state of the operating unit.
 34. The method according to claim 33, wherein the operation of the logical engine is capable of being represented in parallel and in the alternate as a relay network, and wherein simulating program of relay operation and a simulating program of relay network operation are provided, as well as graphic programs for representing relays univocally associated to the relay simulation program and the graphic program.
 35. The method according to claim 34, wherein the plant comprises relays that are capable of receiving commutation commands, wherein each relay is simulated by a Boolean logical program, wherein individual state conditions of the relays and of the commutation commands are represented by state and command variables, and wherein graphic programs associate different graphic aspects of the relays univocally with values assumed by said state and command variables.
 36. The method according to claim 34, further comprising the step of displaying the functional behavior of the plant, wherein the display of the functional behavior of the plant is executed according to two modes, the two modes comprising a first mode having a report file that displays values of state variables generated by the plant simulation software, and a second mode having a graphic representation of the operating condition of plurality of operating units, thereby enabling a user to check in detail the plurality of operating units, and therefore the physical operation modes thereof both in an analytic way and in a direct visual way.
 37. The method according to claim 36, further comprising the capability of setting specific operating conditions of the plant, anomalous situations in the plant and plant reactions according to several operating environment.
 38. The method according to claim 37, wherein the capability of setting can be implemented at a specific step of the plant simulation software, wherein it is possible to provide by a suitable scheduling even conditions wherein one or more the plurality of operating units are operating anomalously, and wherein the one or more of the plurality of operating units operate anomalously by operating incorrectly or by failing to operate.
 39. The method according to claim 37, further comprising the step of scheduling and configuring images and state and command variables of virtual operating units corresponding to the desired operational and state conditions of the plant and a predetermined situation of operation, and the step of executing a direct and visual check of correct operation and an automatic check based on the comparison between a nominal image and a nominal list of desired state and command variables, and the image and state and command variables really processed during the operation of the logical engine, an error message being sent in case of non-identity.
 40. The method according to claim 39, wherein the automatic check is capable of providing a graphic and analytical display of the operating unit that has assumed a non-correct condition, and of providing the corresponding state and command variables, and the graphic and analytic display of state variables of the simulated relay network.
 41. The method according to claim 39, further comprising the step of providing automatic tools for correcting the logical engine according to possible corrections made by the user to the state and command variables, the state and command variables being manually modified because of a state and command error of one or more of a virtual operating unit and of a relay in the command logic within a virtual model of the relay network.
 42. The method according to claim 41, wherein modification interventions can be executed both of alphanumeric type on report files of state and command variables, and of graphic type on the operating unit and the relay, the graphic interventions corresponding to the state of said operating unit and said relay, said alphanumeric and graphic interventions being performed by a correction program that analyzes state and command variables values that are manually set to correct undesired values, and that further analyzes the logical engine and modifies the logical engine's code to commute the operating unit and the relay to the desired state conditions when an operating condition occurs due to which the logical engine had generated an error.
 43. The method according to claim 39, further comprising the step of providing a Boolean simulation program simulating plant operations, wherein the read in of areas of the simulated plant operations and the corresponding parts of the logical engine comprise plant structures that recur in several plants, so to be able to load and reuse both the Boolean simulation program, and a related graphic display program, and parts of the logical engine in new plants having equal operations.
 44. The method according to claim 39, further comprising the step of providing an alternative and a parallel execution of a check of the logical engine during test step with the plant simulation software, wherein the alternative and the parallel execution comprise using a Boolean checker that employs a control and command logical program generated with diversity principles and that compares the logical engine during the test step with the command and control logical program generated with diversity principles.
 45. The method according to claim 44, for further comprising the step of providing an additional program for generating the control and command instructions related to the test step, wherein the additional program operates according to a code different from that of the plant simulation software, wherein the additional program and the plant simulation software each comprise a Boolean equation system, and wherein the additional program and the plant simulation software are compared by the Boolean checker to identify difference in the Boolean equation systems.
 46. The method according to claim 45, wherein the control and command logical program is subjected to the test step by using a virtual plant, and wherein the results obtained by the control and command logical program and the plant simulation software are compared.
 47. The method according to claim 46, further comprising the capability of providing a display, both in the shape of comparative tables of variables and in the shape of graphic comparisons, of operational differences between the control and command logical program and the plant simulation software, the operational differences being generated according to diversity criterions, and of operational differences between relay networks that correspond to the two Boolean equation systems, the variables and the graphic comparisons being highlighted which are different both within the comparative tables and within the graphic comparisons.
 48. The method according to claim 47, further comprising the step of providing an overlap of graphic images of the plant state conditions obtained by the control and command logical program and by the plant simulation software, differences in the overlap of the graphic images of the plant state condition being graphically highlighted.
 49. The method according to claim 48, wherein the two modes for displaying the functional behavior of the plant can be executed in alternative and in sequence wherein the control and command logical program and the plant simulation software are compared at the Boolean equation system level and at the result of the test step, and wherein the sequence order of the two modes is capable of modification.
 50. The method according to claim 49, wherein the control and command logical program and the plant simulation software are compared with comparison steps comprising: a first comparison in relation to plant conditions obtained by the control and command logical program and the plant simulation software; identifying, in the basis of the first comparison, on which parts of the control and command logical program and of the plant simulation software subsequent comparison actions can be limited; executing a second comparison in relation to the Boolean equations of the control and command logical program and of the plant simulation software, the second comparison being limited to the equations that caused the functional divergences that were found in the first comparisons; executing the possible corrective actions thereof and error detections on the Boolean equations identified as responsible for the divergent behavior of the plant.
 51. The method according to claim 50, wherein the first and second comparisons are executed with a program generated according to a different code, wherein the capability is provided of executing additional comparison steps related to the simulation and the graphic representation of operating units, the plant structure, and the relays and the relay network.
 52. The method according to claim 50, further comprising the step of certifying the plant simulation software with parallel means, the parallel means comprising an additional independent program that executes in parallel the test of the Booleans equation system comprised in the plant simulation software, thereby executing a double test by performing a plant simulation, the behavior of the simulated plant obtained with the plant simulation program software in the two separated and parallel test steps being compared, and one or more of alert and error files being generated in case of a discrepancy.
 53. The method according to claim 45, further comprising the step creating an operating connection to remote operating units and remote networks, so to be able to command test functions from a remote workstation and to execute alternative functions as functions of a non vital node of the plant.
 54. The method according to claim 53, further comprising the step of updating the plant simulation software and the test steps in case of a structural modification of the plant.
 55. The method according to claim 53, further comprising the step supervising and diagnosing the correct operation of the plant by executing a comparison between the state conditions assumed by the plant and the state conditions assumed by the simulated plant.
 56. The method according to claim 53, further comprising the step of simulating a virtual emergency for intervention and command on the plant, thereby implementing on the plant only the choice that offers the optimal solution under an emergency condition among the possible choices.
 57. The method according to claim 29, further comprising the step of executing simulation functions with an user interface of an operating system displaying operating windows with function buttons, quick choice menus and other functionalities within the operating windows, further comprising the capability of using pointing means, and keyboard to input numerical, alphanumerical data, and numerical and alphanumerical commands, thereby creating and modifying graphic images of operating units, relays, and other parts of the plant structure.
 58. A computer-readable medium of instructions, the computer-readable medium of instructions being capable of verifying a logical program for controlling and commanding a plant, the computer-readable medium of instructions further having application means on a simulated plant, the computer-readable medium of instructions comprising: at least a central processing unit and at least a memory for loading and executing programs; means for commanding the plant with a logical engine, the logical engine being loadable in the at least a memory for the execution of the logical engine, the logical engine further providing command and control signals: means for receiving command signals and transmitting control signals related to the operating condition of a plurality of operating units situated in the plant, the plurality of operating units being capable of actuating, detecting, measuring, and signaling; means for reading with the logical engine the control signals provided by the plurality of operating units; and means for processing the command signals of the plurality of operating units according to an operating protocol of the plant, wherein a plant simulation software that is controlled and commanded by the logical engine is loadable in the at least a memory, wherein the plant simulation software is capable of being executed by the at least a central processing unit, and wherein the plant simulation software simulates accurately the plant structure and the operating modes of the plurality of operating units provided in the plant. 